© IE Online Media Services Pvt Ltd
Tags:
Journalism of Courage
Since the Telecommunications Act, 2023, partially went into effect in June this year, the Department of Telecommunications (DoT) has been gradually proposing various sets of rules that would put key parts of the revamped telecom legislative framework into action.
The rules that have been drawn up by the DoT so far cover important aspects such as internet shutdowns, cybersecurity, surveillance, and setting up of telecom infrastructure in the country, among others. All rules and provisions of the new Telecom Act will be notified within the next 180 days, Union Minister of Communications Jyotiraditya Scindia had said at the launch of the India Mobile Congress 2024 in July.
Despite concerns regarding vague language, mass surveillance, and threats to online privacy, the contentious Telecom Act was passed into law by Parliament in December last year and replaces three outdated pieces of legislation including The Indian Telegraph Act, 1885.
Here is what you need to know about the bevy of new rules proposed by the DoT under the new Telecom Act.
As per the draft rules, internet shutdowns can only be ordered by the home secretary of the Union Ministry of Home Affairs at the national level or the secretary in-charge of the state home department at the state-level. If both of them are not able to issue the shutdown order due to unavoidable reasons, an officer not below the rank of a joint secretary at the Centre can issue the shutdown order.
The draft rules further state that a shutdown order needs to be published and needs to clearly state the reasons why the internet was suspended. The order would further need to clearly define the geographical area of the internet shutdown and specify its duration, which cannot go beyond 15 days.
A copy of the shutdown order needs to be sent to the review committee within 24 hours. Within the next five days, the review committee has to meet and examine the legal validity of the internet shutdown order while recording its findings. The shutdown order can be set aside if the committee decides that it is not in accordance with the law.
The three-member review committee will comprise the cabinet secretary, the legal affairs secretary, and the DoT secretary at the Centre. A review committee constituted under a state government will include the state secretary, the law secretary, and any other secretary other than the home secretary.
Law enforcement agencies are further required to designate nodal officers in every state or union territory in order to implement the internet shutdown order.
With the Telecom Act empowering the government to intercept messages in cases of emergencies and in the interest of national security, these rules contain detailed instructions on the process of intercepting messages.
As per the draft rules, interception orders can be issued by officials with the same titles as those who handle shutdown orders, except that the head or the second senior most officer not below the rank of Inspector General of Police of an authorised agency can also issue interception orders under certain circumstances.
Interception orders should contain the name of the agency intercepting the messages and state the reasons for interception. These orders will only be valid for 60 days, unless renewed. Interception orders cannot last longer than 180 days at a time.
Agencies are required to maintain records of the intercepted messages, details of individuals behind the messages, details of the officer or agency intercepting the messages, the number of physical or digital copies of the intercepted messages, and date of destruction of the copies.
These records need to be destroyed every six months, unless they are “required for functional requirements.”
Interception orders must be sent to a review committee within seven days. The composition of the three-member committee to review interception orders is the same as the one tasked with reviewing shutdown orders. This committee is required to meet every two months to decide the legal validity of an interception order and record its findings. The order can be set aside if the committee finds that it violates the law.
At the telecom entity’s end, they are required to appoint two senior employees to implement interception orders. In case of any unauthorised interception, the telecom entity will be held responsible. This marks a departure from the existing version of the rules which allow the central government to revoke or temporarily suspend the licences of telecom operators for unauthorised interception.
For the purposes of protecting and ensuring telecom cybersecurity, the draft rules allow the central government to collect traffic data from telecom entities. Traffic data is defined as “any data generated, transmitted, received or stored in telecommunication networks, including data relating to the type, routing, duration or time of a telecommunication.”
The traffic data collected can further be shared with any national-level law enforcement or security agency as well as other telecom entities and users. The draft rules require these agencies to put in place adequate safeguards that prevent unauthorised access to such data.
The DoT has also proposed to make it illegal for individuals to use telecom services for sending fraudulent messages and messages that adversely affect telecom cybersecurity.
Under the draft rules, the central government is empowered to set up digital mechanisms to identify any act that endangers telecom cybersecurity. It is subsequently allowed to identify the person behind the act using the corresponding telecom identifier and issue a notice to them. The individual who receives such a notice has seven days to respond. Based on this response, the central government can request a telecom entity to temporarily suspend or terminate the telecom identifier linked to the person.
The government can also immediately take action and temporarily suspend telecom identifiers in the interest of public safety, as per the rules. It can request telecom entities to block the use of telecom equipment with tampered IMEI numbers as well.
Indian telcos that suffer data breaches or any other security incident are required to promptly report the incident to the central government and share the steps it has taken to address such incidents. These reports need to contain details about the number of users affected due to the security incident as well as the duration, geographical area, economic and societal impact, etc.
The public will be informed of a security incident affecting telecom networks only if the central government deems it to be in public interest.
On August 28, the DoT released another set of draft rules aimed at safeguarding telecom networks and equipment that can be classified as critical telecom infrastructure under the Act.
Under the draft rules, the central government is allowed to notify any telecom network or equipment as critical telecom infrastructure if “the disruption of such infrastructure will have a debilitating impact on national security, economy, public health or safety of the nation.” The government can also order authorised personnel to inspect the hardware, software, and data of critical telecom infrastructure.
Indian telecom entities are required to appoint a chief telecom security officer who will be responsible for implementing the rules and share all logs relating to critical telecommunication infrastructure with the central government, along with network architecture details, inventory details, security audit reports, compliance reports, cyber crisis management plans, and service level agreements.
Other obligations for Indian telcos include preserving logs and documenting changes to the network architecture, maintaining supply chain records of telecom equipment, carrying out annual threat analysis of telecom network architecture, setting up mechanisms to report cybersecurity incidents to the central government, and more.
Telecom entities are allowed to upgrade their critical telecom infrastructure only after receiving approval from the central government, as per the draft rules.
The DoT’s rules on the utilisation of funds collected under the Digital Bharat Nidhi (DBN) was put up for consultation on July 4 and went into effect on September 2.
Under the Telecom Act, the previously known Universal Services Obligation Fund (USOF) was renamed as Digital Bharat Nidhi. The funds for DBN come from the 5 per cent levied on the adjusted gross revenue (AGR) of Indian telcos. It is intended to fund projects that boost telecom access in underserved rural, remote, and urban areas of India.
What is the criteria for funding?
According to the rules, schemes and projects that are eligible for funding must make next-gen telecom tech accessible and affordable in remote parts of the country, while also promoting innovation and commercialisation of indigenous tech development by creating regulatory sandboxes, establishing new compliance standards, and encouraging start-ups that manufacture telecom equipment, etc.
The scope of funding is broader under the DBN, when compared to the USOF. For instance, the rules state that the initiative should fund schemes and projects that provide targeted access to telecom services for underserved groups of society such as women, persons with disabilities and economically and socially weaker sections
However, it requires recipients to ensure that the telecom networks and associated services developed using these funds must be provided “on an open and non-discriminatory basis.”
The rules further state that a DBN administrator will be appointed by the central government to oversee project applications, disbursements of funds, and monitoring of sanctioned projects.
Projects that promote and support telecom service delivery in underserved rural, remote, and urban areas will be selected via a bidding process while R&D projects will be chosen based on their applications. Additionally, the DBN administrator has the power to nominate projects for funding with the central government’s approval.
As per the rules, DBN implementers can set up regulatory sandboxes for testing of developed telecom technologies.
